1. Field of the Invention
The present invention relates to access control mechanisms for preventing unauthorized access and, more particularly, to an improved system that integrates a unique fail counter in the password, pass phrase or personal identification number (PIN) validation process.
2. Description of the Background
Today, many products, devices and/or systems rely on passwords, pass-phrases or personal identification numbers (PINs) to serve as an access control mechanism. One of the security challenges related to these access control mechanisms (heretofore collectively referred to as PINs) is the determination of an optimal PIN length and character composition. Obviously, a longer PIN created from a complex character set will be harder to guess than a short PIN created from a restricted character set. Unfortunately, it will also be harder for the user to remember. In order to enhance the level of security afforded to a system that uses a PIN as an access control mechanism, it is advisable to incorporate a fail counter into the PIN validation routine.
Incorporating a fail counter into the PIN validation routine is a simple task which can be accomplished via hardware, software, and/or firmware. Typically, a comparator compares the entered PIN to the correct PIN. Of note, the correct PIN is typically stored on a token or in a database. A fail counter keeps count of failed attempts. A number of actions can be taken when an individual consistently re-enters bad PINs. For instance, the system managers can be alerted to the possibility that an unauthorized access has been attempted. In addition, the system may in prevent further access attempts after a certain number of failed attempts.
U.S. Pat. No. 5,594,227 discloses a system and method for protecting unauthorized access to data contents using a cumulative fail counter. The fail counter keeps a fail count LD indicative of the number of times that an entered password fails to match a stored password. The fail counter is incremented when the entered password fails to match the stored password and decremented when the entered password successfully matches the stored password. In addition to the fail count, a separate delay counter maintains a delay count that is incremented each time the access is attempted, regardless whether successful or not. Whenever the fail count is not equal to its starting value of zero access is denied. Access is denied even though a match might occur after initial misses because the fail count is not zero. Further, when access is denied, a delay period is imposed before comparing the next entered password received from the smart card terminal. The delay period increases each time based upon a function of the delay count. While the '227 patent reduces the chance of unauthorized access, it is a cumbersome implementation. First, a delay counter must be employed in tandem with the fail counter. Second, when access is denied a delay period is imposed before processing the next entry. This is tedious for legitimate users who have mistakenly typed the wrong PIN. Moreover, the cumulative result is longer lines at the card terminal. Third, the '227 implementation is geared specifically toward smart cards and other integrated circuit cards. It would be greatly advantageous to develop an access control system that requires fewer steps to implement, does not require a timing mechanism (for a delay counter or otherwise), and that is easier to integrate into all existing and future access control architectures.